From 24 September 2020, new laws came into force that require a variety of hospitality, sport, leisure and tourism venues to take personal details from those visiting in some form for contact tracing purposes.
Organisations that use such venues must display a government allocated NHS QR Code for visitors to scan before they can enter, which will link to the NHS contact tracing app.
What if visitors don’t scan the code?
If a visiting individual is unable to scan this code, the venue is required to take the following information from them:
- telephone number
- time and date of visit
- size of group
- names of any members of staff they have interacted with
Collecting these contact details and maintaining records for NHS Test and Trace is a legal requirement and failure for a relevant organisation to comply is punishable by fine (from £500 – £4,000).
What happens to the data?
The venue is required to retain this data for a period of 21 days, and destroy such data when that time has passed. The venue is also obliged to pass on such information to the relevant authorities when requested to do so.
The Government Guidance makes clear that the data collected by venues in relation to this law must be handled in accordance with GDPR. As such, your organisation is likely to need to update its privacy notice and/or data retention policy to cover this new type of data processing.